CVE-2025-47615

The vulnerability is a stored Cross-Site Scripting (XSS) flaw in the Amazon Product in a Post plugin for WordPress, affecting versions through 5.2.2. The root cause is improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored in the database and later executed in the context of a victim's browser [1].

Exploitation requires an authenticated user with at least contributor-level privileges to inject crafted payloads via the plugin's input fields. The attacker does not need direct victim interaction to store the payload; however, according to the advisory, user interaction (such as the victim visiting a modified page) is necessary for the script to execute [1]. This distinction is typical for stored XSS, where the stored script triggers automatically upon page load.

The impact includes the ability to inject arbitrary HTML and JavaScript, leading to redirections, unwanted advertisements, or other malicious actions when guests visit compromised pages. Attackers could leverage this for session hijacking, phishing, or site defacement, potentially affecting thousands of sites due to mass-exploit campaigns targeting WordPress plugins [1].

As a mitigation, users should immediately update the Amazon Product in a Post plugin to the latest patched version beyond 5.2.2. The developer has not released a workaround, and no reliable alternative exists [1]. Given the active exploitation risk, site administrators are urged to prioritize this update.